PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46160 Linux CVE debrief

A logic error in the Linux kernel's Btrfs filesystem implementation allows directory removal operations to leave stale metadata that corrupts the journal replay process. When a directory is removed via rmdir(2) while a file descriptor remains open, the kernel fails to update the directory's last_unlink_trans field. If a subsequent fsync is issued on that file descriptor before a power failure, the resulting log replay produces an inconsistent filesystem state that prevents mounting with -EIO and emits a critical corruption warning about invalid nlink counts.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Organizations running Linux systems with Btrfs root or data filesystems, particularly those with workloads involving container orchestration, build systems, or mail servers that frequently create, move, and remove directories with durability guarantees via fsync. Cloud providers offering Btrfs-backed instances and backup systems relying on Btrfs snapshots are also affected.

Technical summary

The Btrfs filesystem driver in the Linux kernel does not update the last_unlink_trans field of a directory inode when rmdir(2) succeeds. This field tracks the transaction ID of the last unlink operation and is used during log replay to determine whether an inode must be fully logged. When a directory is removed while an open file descriptor persists, and fsync is called on that descriptor, the resulting log tree contains inconsistent state: the directory appears both as deleted (in the main tree) and requiring replay (in the log). On next mount, replay encounters an inode with nlink count 2 but directory type, which violates Btrfs invariants (directories must have nlink ≤ 1), triggering -EIO and preventing mount. The fix ensures last_unlink_trans is updated during directory removal so subsequent fsync operations correctly log the inode state.

Defensive priority

high

Recommended defensive actions

  • Apply the referenced stable kernel commits to affected systems
  • Prioritize patching systems using Btrfs with workloads involving frequent directory removal and fsync operations
  • Monitor dmesg/syslog for 'BTRFS critical: corrupt leaf' and 'invalid nlink' messages indicating potential corruption from this issue
  • Verify filesystem integrity with btrfs scrub and btrfs check after unexpected power loss on unpatched systems
  • Consider disabling Btrfs tree-log (mount option nologreplay) only as temporary mitigation with acceptance of data loss risk

Evidence notes

The vulnerability description provides a complete reproduction scenario: create nested directories, sync, modify parent directory permissions, move child directory out, open file descriptor on now-empty parent, rmdir the parent, fsync the fd, then trigger power failure. The log replay fails with 'BTRFS critical: corrupt leaf: invalid nlink: has 2 expect no more than 1 for dir'. Five stable kernel commits are referenced as fixes.

Official resources

2026-05-28